<p>This rule is deprecated, and will eventually be removed.</p>
<p>By default, web browsers perform <a href="https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch/">DNS prefetching</a> to reduce
latency due to DNS resolutions required when an user clicks links from a website page.</p>
<p>For instance on example.com the hyperlink below contains a cross-origin domain name that must be resolved to an IP address by the web browser:</p>
<pre>
&lt;a href="https://otherexample.com"&gt;go on our partner website&lt;/a&gt;
</pre>
<p>It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web
browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from
the user’s computer is performed without his consent if he doesn’t intent to go to the linked website.</p>
<p>On a complex private webpage, a combination "of unique links/DNS resolutions" can indicate, to a eavesdropper for instance, that the user is
visiting the private page.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> Links to cross-origin domains could result in leakage of confidential information about the user’s navigation/behavior of the website. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Implement <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control">X-DNS-Prefetch-Control</a> header with an
<em>off</em> value but this could significantly degrade website performances.</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/dns-prefetch-control">dns-prefetch-control</a>
middleware is disabled or used without the recommended value:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.dnsPrefetchControl({
    allow: true // Sensitive: allowing DNS prefetching is security-sensitive
  })
);
</pre>
<h2>Compliant Solution</h2>
<p>In Express.js application the <a href="https://www.npmjs.com/package/dns-prefetch-control">dns-prefetch-control</a> or <a
href="https://www.npmjs.com/package/helmet">helmet</a> middleware is the standard way to implement <code>X-DNS-Prefetch-Control</code> header:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.dnsPrefetchControl({
    allow: false // Compliant
  })
);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control">developer.mozilla.org</a> - X-DNS-Prefetch-Control
  </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch">developer.mozilla.org</a> - Using dns-prefetch </li>
</ul>
